Understand data encryption for fields
- Applies to the following fields: Single line, email, date, date-time, number, percent, decimal, and currency
- Learn how to manage data encryption for fields
Encryption is a method of adding a layer of security to data preventing the data from being stolen or lost. It is the process of encoding information to make it accessible only by authorized parties. Even if a potential hacker gets a hold of the data, the information stored in the cipher text is non-readable.
Encryption can be used in two situations:
- Encryption in Transit: Data is usually encrypted when it is in transit (transferred from one place to another). This is to prevent others from accessing the data en route. This provides a considerable level of security for the information.
- Encryption at Rest (EAR): This is a data protection measure that stores data in an encrypted format when it's at rest (not moving).
Although the encryption of data during transit provides good security, encryption of the same when it is stored in the servers provides an even higher level of security. EAR prevents any possible security leaks or losses when it is in storage. Refer to this page to learn about Zoho's security practices, policies, and infrastructure.
Encryption at Rest (EAR) in Zoho
Encryption at Rest (EAR) in Zoho is done using the AES-256 protocol. A symmetric encryption algorithm, which uses 128-bit blocks and 256-bit keys, is used for encrypting/decrypting the data. It is one of the more advanced methods of encryption. Zoho encrypts data using the Cipher Block Chaining (CBC) mode of operation of AES.
Keys are the means through which you can retrieve the encrypted data. The key used to convert the data from plain text to cipher text is called Data Encryption Key (DEK). The DEK is further encrypted using the KEK (Key Encryption Key), thus, providing yet another layer of security.
Hence, the data in your Zoho Creator app is equipped with three layers of security:
- Encrypted data (Cipher text) is stored in the Zoho Creator Database
- Encrypted DEKs are stored in KMS (Key Management System)
- Encrypted KEKs are stored in IAM (Identity and Access Management) servers
The retrieval of data goes through three levels. Hence, the level of security is increased considerably.
The encryption process
- The encryption agent determines, from the metadata, whether to encrypt the field before storing it in the database.
- The encryption agent checks the cached memory for matching DEKs. If no matching DEKs are found, the encryption agent requests a DEK from the KMS.
- The KMS checks its database for a matching encrypted DEK.
- If the matching encrypted DEK is found, the KMS decrypts the encrypted DEK and returns it to the encryption agent
- If no matching DEK is found, the KMS generates a DEK. This new DEK is encrypted with KEKs and stored in the KMS servers
- The agent receives the Data Encryption Key (DEK), then encrypts/decrypts the data using 256-bit AES encryption.
- The cipher text (the encrypted data) is then stored in the ZohoCreatorDatabase.
Encrypting data at rest in your Zoho Creator apps
You can enable EAR for the data stored in the fields of your Zoho Creator app by enabling the Encrypt data field property.
Before enabling the Encrypt data field property
- Encryption converts the data in a field to text. Therefore, to enable data encryption for a field, you will first need to remove its references from other components like lookup fields (in other forms), reports, and workflows. Zoho Creator will display a prompt containing all such references. Refer manage data encryption to learn more.
- Enabling data encryption is not supported when the no duplicate values property is enabled for that field, and vice versa
- Encrypting data requires time. We've estimated that it takes up to 30 seconds to encrypt the data in 100,000 records. However, while this happens, your users won't be able to access your app. For example, if you initiate data encryption for a field while a user is entering data in that form, they won't be able to submit the form. We recommend that you plan for this pause before you initiate data encryption for a field.
Working with fields that contain encrypted-at-rest data
Encryption converts the data in a field to text. Therefore, these fields can be searched for data using only the following operators: Is, Is Not, Is Empty, and Is Not Empty. This applies to both reports and workflows.
In reports, the fields containing encrypted data will display the original (decrypted) value by default. This can be customized as follows:
- Set the Display Value as:
- Without mask: Displays the decrypted value. This is selected by default.
- Show first n characters decrypted, while the rest of the data being represented by a few asterisks (*)
- Show last n characters decrypted, while the rest of the data being represented by a few asterisks (*)
- With mask: Mask the data by displaying five asterisks (*) instead
- Enable Show value on click (or tap): This option becomes available when the Display Value is set with a value other than Without mask